samba - Jul 2011 - _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request

I am getting errors in my samba logs like "_netr_ServerAuthenticate3:
netlogon_creds_server_check failed. Rejecting auth request from client
XXX machine account XXX$" (Host log:?http://pastebin.com/QXhbngN5).

So far, machines do seem to join the domain (Machine account is
created in LDAP, user can log in, etc), but I am concerned that when
Windows 7 machines reach their 30 days they will begin issuing "trust
account has expired or is incorrect" messages.

Since we have a couple thousand machines, I wish to avoid that. ?I
have followed the instructions at
http://wiki.samba.org/index.php/Windows7 and tried a few other thnigs
(but have not touch the sign/seal regkeys) and still get these errors
in the logs when a machine boots and auths any user. ?I have updated
the samba bins from debian backports to run version ?3.5.8.

I have made sure that our DNS server registers the machine account
with hostname.DOMAIN, have tried turning off/on ntlmv2 on the server
and using gpedit on the client, have made sure that time is
synchronous on the server/client, have removed and re-added the
machine account many times, and have tried some registry hacks like:
HKLM\System\CCS\Services\TcpIp\Parameters
Domain: XXX.com
NV Domain: XXX.com

Where should I look next?

Sure enough, now that machines' passwords are passing the thirty day
range, they are refusing to log on siting "No logon server available".

This is despite having evidence of their machine account passwords
changning in LDAP (sambaPwdLastSet being updated).

Some machines, oddly, will log on, but will then fail to retrieve
resources from the PDC.  I can confirm that these machines are no
using cached credentials.

Does anyone have a Samba 3.5/OpenLDAP > PDC for Windows 7 clients?  If
so, I would like to compare your configuration/machine account ldif
with my own to try and troubleshoot this.

On 19:17:01 wrote Paul Tietjens:
> I am getting errors in my samba logs like "_netr_ServerAuthenticate3:
> netlogon_creds_server_check failed. Rejecting auth request from
> client XXX machine account XXX$" (Host
> log: http://pastebin.com/QXhbngN5).
> 
> So far, machines do seem to join the domain (Machine account is
> created in LDAP, user can log in, etc), but I am concerned that when
> Windows 7 machines reach their 30 days they will begin issuing "trust
> account has expired or is incorrect" messages.
> 
> Since we have a couple thousand machines, I wish to avoid that.  I
> have followed the instructions at
> http://wiki.samba.org/index.php/Windows7 and tried a few other thnigs
> (but have not touch the sign/seal regkeys) and still get these errors
> in the logs when a machine boots and auths any user.  I have updated
> the samba bins from debian backports to run version  3.5.8.
> 
> I have made sure that our DNS server registers the machine account
> with hostname.DOMAIN, have tried turning off/on ntlmv2 on the server
> and using gpedit on the client, have made sure that time is
> synchronous on the server/client, have removed and re-added the
> machine account many times, and have tried some registry hacks like:
> HKLM\System\CCS\Services\TcpIp\Parameters
> Domain: XXX.com
> NV Domain: XXX.com
> 
> Where should I look next?
From your log:
  ldapsam_getsampwsid: Unable to locate SID 
[S-1-5-21-1048866067-1567326443-2860397223-515] count=0
[2011/07/26 12:04:02.543539,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)


So find this group by hand:
ldapsearch -x -LLL sambasid=S-1-5-21-1048866067-1567326443-2860397223-515

Should look like this:
# ldapsearch -x -LLL sambasid=S-1-5-21-2895420538-1884802692-219078741-515
dn: cn=Domain Computers,ou=groups,dc=xx,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-2895420538-1884802692-219078741-515
sambaGroupType: 2
displayName: Domain Computers


And you are using debian with winbind?
check the status of winbind:


smbcontrol winbind ping
PONG from pid 11761

if you dont get a pong, you are not running winwindd, or you have a broken deb.

cd /var/run/samba
ln -s winbindd-winbindd.conf.pid winbindd.pid

and winbind works :-) .


If you have fixed this two possible issues and things still dont work, check 
your ldap acls. To do this set the loglevel of slapd to 384 (ACL + FILTER).

-- 

Regards
	Harry Jede